Ref attached jpg

I hope to find a way that restricts workstations (designated A-E on jpg) configured on the same vlan to communicate only to designated servers and the default gateway.

These workstations should get no reply when arping to any other on net address.

I understand that switchport protected does this when configured for workstations residing on the same switch as the server and gateway. (ie. the rightmost 2950)

Thanks,

switchport protected

I believe I understand now.

switchport protected works on the same switch while you want to expand this concept over multiple switches,

am I right ?

Well, there is an option, it's called Private Vlans but it's supported on 3560/3750 and other high-end switches.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_35_se/configuration/guide/swpvlan.html

Thanks.

As I understand it then, all hosts connected to associated primary and secondary private vlans occupy the same ip subnet with a gateway configured on the primary vlan's svi.

Short of replacing all switches with 3560/3750's, could I get L2 isolation by

1. replace the 3550 at the root with a 3560 trunked to both 2950's.

2. configure the 3560 with private primary vlan X with associated private isolated vlan Y

3. configure all 2950 ports connected to workstations as switchport access vlan Y and switchport protected.

4. configure the 2950 ports connected to the server as switchport access vlan X and no switchport protected.

It might work but just thinking about it, gave me a headache :)

Best to draw it up and play around with that idea in a Lab.